Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: REST
Labels:
None

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Target Release:

7.3.z.GA
Workaround Description:
Hide

Add the below custom ExceptionMapper to remove the response body:

import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Response; import javax.ws.rs.ext.ExceptionMapper; import javax.ws.rs.ext.Provider; @Provider public class MyNotFoundExceptionMapper implements ExceptionMapper<NotFoundException> { @Override public Response toResponse(NotFoundException e) { return Response.status(Response.Status.NOT_FOUND).build(); } }
Show
Add the below custom ExceptionMapper to remove the response body: import javax.ws.rs.NotFoundException; import javax.ws.rs.core.Response; import javax.ws.rs.ext.ExceptionMapper; import javax.ws.rs.ext.Provider; @Provider public class MyNotFoundExceptionMapper implements ExceptionMapper<NotFoundException> { @Override public Response toResponse(NotFoundException e) { return Response.status(Response.Status.NOT_FOUND).build(); } }
Steps to Reproduce:
Hide

Using jboss-quickstart's helloworld-rs app, reproduce in JBoss EAP 7.3.7:

$ git clone https://github.com/jboss-developer/jboss-eap-quickstarts.git $ cd jboss-eap-quickstarts/helloworld-rs $ mvn clean package $ cp target/helloworld-rs.war jboss-eap-7.3.7/standalone/deployments/ // For JBoss EAP 7.3.7 as latest $ curl 127.0.0.1:8080/helloworld-rs/rest/html RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html // For JBoss EAP 7.2.9 $ curl -v 127.0.0.1:8080/helloworld-rs/rest/html $ (only return HTTP header, no HTTP response body.)
Show
Using jboss-quickstart's helloworld-rs app, reproduce in JBoss EAP 7.3.7: $ git clone https://github.com/jboss-developer/jboss-eap-quickstarts.git $ cd jboss-eap-quickstarts/helloworld-rs $ mvn clean package $ cp target/helloworld-rs.war jboss-eap-7.3.7/standalone/deployments/ // For JBoss EAP 7.3.7 as latest $ curl 127.0.0.1:8080/helloworld-rs/rest/html RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html // For JBoss EAP 7.2.9 $ curl -v 127.0.0.1:8080/helloworld-rs/rest/html $ (only return HTTP header, no HTTP response body.)

SFDC Cases Counter:
SFDC Cases Links:

Description

In JBoss EAP 7.3.0 and later which merged ~~RESTEASY-2189~~, the default ExceptionHandler returns "RESTEASY003210: Could not find resource for full path: <path>" in the response body when request path is not found:

$ curl 127.0.0.1:8080/helloworld-rs/rest/html
RESTEASY003210: Could not find resource for full path: http://127.0.0.1:8080/helloworld-rs/rest/html

A malicious user can find out that RESTEasy is being used in the backend. I believe the default message returned by the server should not contain any messages that can guess the product name or versions.

I think it would be more appropriate to just return the response header same as in JBoss EAP 7.2.9 and earlier.

Attachments

Issue Links

incorporates

JBEAP-22401 [GSS](7.4.z) RESTEASY-2997 - RESTEASY003210 is appeared in response body when request resource is not found

Verified

Activity

People

Assignee:: James Perkins

Reporter:: Norito Agetsuma

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2021/06/07 9:20 AM

Updated:: 2022/05/26 9:27 PM

Resolved:: 2022/05/26 9:27 PM